Last week, officials with healthcare.gov announced plans to improve privacy across the service, including a new privacy policy, easy privacy controls for users, and a commitment to honoring the Do Not Track header.

Heathcare.gov users will now be able to disable tracking by advertising beacons, social media, and analytics services on the health care website if they so choose. And users who have turned on the "Do Not Track" feature in their browser—which is automatically enabled by Privacy Badger—will have advertising-related tracking disabled by default.

Managing the tracking opt-out preferences for healthcare.gov is a company called Tealium. According to their policy, Tealium does not “see, collect, or store [user] data.” Their system works by “building a set of instructions for the browser to execute. These rules allow the management and routing of data to be done within the browser itself and not through Tealium’s servers.” Tealium has also stated that IDs stored in its cookies are different on each website, and that they do not use any sort of browser fingerprinting or supercookies. These safeguards would make it very difficult for Tealium to use this service to track healthcare.gov visitors.

We applaud healthcare.gov's decision to support Do Not Track and give their users strong privacy controls. Since we're privacy perfectionists, though, we think there are a few more small changes they could make to improve their users' privacy even further. For example, users must accept a cookie from healthcare.gov in order to store privacy preferences; thus, users who have chosen to disable cookies will not be able to set any privacy protections. (Do Not Track will still be honored even when cookies are turned off, however). We think that users who disable cookies are expressing a privacy preference, just like users who activate DNT, and we recommend that websites treat users who disable cookies the same way. (Note that while this would require a little clever JavaScript, it's definitely technically feasible.)

Another possible improvement would be to disable social widgets and analytics, and limit logging, for all DNT users as under EFF's Do Not Track Policy. We have suggested some of these changes to healthcare.gov and are discussing with them further improvements that they can make to their system.

We think that this is a great first step toward protecting consumer privacy on the part of healthcare.gov. We are very excited by this new development and we would be thrilled to see more organizations, both public and private, follow their lead and create a web that protects people’s privacy. Until then you can always install Privacy Badger to tell websites you do not want to be tracked, and block them when they do.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

The California Consumer Privacy Act (CCPA) requires the California Attorney General to take input from the public on regulations to implement the law, which does not go into effect until 2020. The Electronic Frontier Foundation has filed comments on two issues: first, how to verify consumer requests to companies for...

Ever since the Cambridge Analytica scandal last summer, consumer data privacy has been a hot topic in Congress. The witness table has been dominated by the biggest platforms, with those in lockstep with the tech giants earning the vast majority of attention. However, this week marked the first time that...

We urged the Florida Supreme Court yesterday to review a closely-watched lawsuit to clarify the due process rights of defendants identified by facial recognition algorithms used by law enforcement. Specifically, we told the court that when facial recognition is secretly used on people later charged with a crime, those...

In his latest announcement, Facebook CEO Mark Zuckerberg embraces privacy and security fundamentals like end-to-end encrypted messaging. But announcing a plan is one thing. Implementing it is entirely another. And for those reading between the lines of Zuckerberg’s pivot-to-privacy manifesto, it’s clear that this isn’t just about privacy. It’s...

In back-to-back hearings last week, the House and the Senate discussed what, if anything, Congress should do about online privacy. Sounds fine—until you see who they invited. Congress should be seeking out multiple, diverse perspectives. But last week, both chambers largely invited industry advocates, eager to...

San Francisco - Technology is supposed to make our lives better, yet many big companies have products with big security and privacy holes that disrespect user control and put us all at risk. The Electronic Frontier Foundation (EFF) is launching a new project called “Fix It Already!” demanding repair...

Today we are announcing Fix It Already, a new way to show companies we're serious about the big security and privacy issues they need to fix. We are demanding fixes for different issues from nine tech companies and platforms, targeting social media companies, operating systems, and enterprise platforms on...

Update, 2:35 p.m.: The coalition of groups behind Privacy for All has grown since time of publishing. This update reflects the latest count. Privacy is a right. It is past time for California to ensure that the companies using secretive practices to make money off of our personal information treat...